On Fri, Aug 05, 2016 at 01:44:10PM -0600, Dave Carroll wrote: > In aacraid's ioctl_send_fib() we do two fetches from userspace, one > the get the fib header's size and one for the fib itself. Later we use > the size field from the second fetch to further process the fib. If > for some reason the size from the second fetch is different than from > the first fix, we may encounter an out-of- bounds access in > aac_fib_send(). We also check the sender size to insure it is not > out of bounds. This was reported in > https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned > CVE- 2016-6480. > > Reported-by: Pengfei Wang <wpengfeinudt@xxxxxxxxx> > Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Dave Carroll <david.carroll@xxxxxxxxxxxxx> Thanks Dave, Reviewed-by: Johannes Thumshirn <jthumshirn@xxxxxxx> -- Johannes Thumshirn Storage jthumshirn@xxxxxxx +49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html